CVE-2026-12198 | Microweber up to 2.0.20 API Endpoint thumbnail_img userfiles_path cache_path_relative path traversal (Issue 1172)

A vulnerability categorized as critical has been discovered in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal.

This vulnerability is registered as CVE-2026-12198. It is possible to launch the attack remotely. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.VulDB Recent EntriesRead More